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Abstract — We  propose  a  trust-based  intrusion  detection  scheme 
utilizing  a  highly  scalable  hierarchical  trust  management  protocol 
for  clustered  wireless  sensor  networks.  Unlike  existing  work,  we 
consider  a  trust  metric  considering  both  quality  of  service  (QoS) 
trust  and  social  trust  for  detecting  malicious  nodes.  By 
statistically  analyzing  peer-to-peer  trust  evaluation  results 
collected  from  sensor  nodes,  each  cluster  head  applies  trust-based 
intrusion  detection  to  assess  the  trustworthiness  and 
maliciousness  of  sensor  nodes  in  its  cluster.  Cluster  heads 
themselves  are  evaluated  by  the  base  station.  We  develop  an 
analytical  model  based  on  stochastic  Petri  nets  for  performance 
evaluation  of  the  proposed  trust-based  intrusion  detection 
scheme,  as  well  as  a  statistical  method  for  calculating  the  false 
alarm  probability.  We  analyze  the  sensitivity  of  false  alarms  with 
respect  to  the  minimum  trust  threshold  below  which  a  node  is 
considered  malicious.  Our  results  show  that  there  exists  an 
optimal  trust  threshold  for  minimizing  false  positives  and  false 
negatives.  Further,  the  optimal  trust  threshold  differs  depending 
on  the  anticipated  wireless  sensor  network  lifetime. 

Index  Terms — Trust  management,  intrusion  detection,  wireless 
sensor  networks,  security,  false  positives,  false  negatives. 

I.  Introduction 

A  wireless  sensor  network  (WSN)  usually  consists  of  a  large 
number  of  tiny  sensor  nodes  (SNs)  deployed  in  an  operational 
area  for  data  sensing,  aggregating,  and  processing.  WSNs  have 
been  applied  in  transportation,  agriculture,  homeland  security, 
and  battlefield  applications.  The  exposure  to  natural 
environments  and  the  inherent  unreliability  of  wireless 
transmission  make  a  WSN  vulnerable  to  many  attacks  [1].  SNs 
deployed  in  hostile  environments  for  military  applications  also 
could  be  compromised  through  captures  and  become 
malicious.  Moreover,  due  to  severe  resource  constraints  of 
SNs,  such  as  energy,  memory,  and  computational  power, 
traditional  energy-consuming  defense  mechanisms  like  public- 
key  infrastructure  [10]  and  host-based  intrusion  detection 
techniques  [6]  may  not  be  feasible. 

Malicious  attacks  to  WSNs  can  be  classified  into  outsider 
attacks  and  insider  attacks.  While  most  outsider  attacks  such  as 
spoofing,  replay,  and  Sybil  attacks  can  be  prevented  by 
authentication  and  cryptography,  insider  attacks  are  much 
harder  to  deal  with.  In  this  paper,  we  develop  a  trust-based 
intrusion  detection  system  (IDS)  scheme  utilizing  a  highly 
scalable  hierarchical  trust  management  protocol  for  clustered 
wireless  sensor  networks  to  detect  inside  attackers. 

Unlike  existing  work,  we  consider  not  only  QoS  trust 
(< energy  and  cooperativeness)  derived  from  communication 
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networks  but  also  social  trust  {honesty)  derived  from  social 
networks  [2]  to  judge  if  a  node  is  compromised.  We  develop  a 
probability  model  based  on  the  stochastic  Petri  nets  (SPN)  to 
describe  the  behaviors  of  each  SN  or  cluster  head  (CH).  In  our 
protocol,  each  node  subjectively  evaluates  other  peers 
periodically.  With  peer-to-peer  trust  evaluations  reported  from 
SNs,  a  CH  obtains  a  comprehensive  trust  report  toward  all  SNs 
in  its  cluster  and  can  perform  statistical  analysis  to  identify  and 
exclude  malicious  nodes  in  the  network.  CHs  themselves  are 
evaluated  by  the  base  station  taking  in  peer-to-peer  trust 
evaluation  inputs  from  other  CHs.  This  hierarchical  structure 
reduces  network  traffic  by  eliminating  cross-cluster 
communications  among  SNs.  More  importantly,  we  develop  a 
statistical  method  to  predict  false  positive  and  false  negative 
probabilities  and  identify  optimal  design  settings  under  which 
false  positives  and  false  negatives  are  minimized. 

In  the  literature,  Wang  et  al.  [8]  proposed  an  intrusion 
detection  mechanism  based  on  trust  (IDMTM)  for  mobile  ad 
hoc  networks  (MANETs).  They  employed  the  concepts  of 
evidence  chain  and  trust  fluctuation  to  evaluate  a  node  in  the 
network,  with  the  evidence  chain  detecting  misbehaviors  of  a 
node,  and  the  trust  fluctuation  reflecting  the  high  variability  of 
a  node’s  trust  value  over  a  time  window.  Ebinger  et  al.  [3] 
introduced  a  cooperative  intrusion  detection  method  also  for 
MANETs  based  on  trust  evaluation  and  reputation  exchange. 
They  split  the  reputation  information  into  trust  and  confidence 
for  reputation  exchanges  and  then  combine  them  into 
trustworthiness  for  intrusion  detection.  In  WSNs,  several  trust 
management  protocols  [4,  5,  7]  have  been  proposed  for 
network  security,  data  integrity,  and  secure  routing.  However, 
most  work  only  considered  a  flat  WSN  structure.  Notably 
Shaikh  et  al.  [7]  proposed  a  group-based  trust  management 
scheme  for  clustered  WSNs.  Their  hierarchical  structure  used 
is  similar  to  our  work.  However,  they  only  considered  QoS 
metrics  (e.g.,  message  delivery  ratio  in  a  time  window)  based 
on  direct  observations  and  no  IDS  design  or  evaluation  was 
discussed.  To  the  best  of  our  knowledge,  our  work  is  the  first 
to  use  trust  to  implement  intrusion  detection  functionality  and 
evaluate  its  effectiveness  for  clustered  WSNs. 

II.  System  Model 

We  consider  a  clustered  WSN  consisting  of  multiple 
clusters,  each  with  a  cluster  head  (CH)  and  a  number  of  SNs  in 
the  corresponding  geographical  area  with  CHs  having  more 


computational  and  energy  resources  than  SNs.  The  CH  in  each 
cluster  may  be  selected  based  on  an  election  protocol  such  as 
HEED  [9].  A  SN  forwards  its  sensor  reading  to  its  CH  and  the 
CH  then  forwards  the  data  to  the  base  station  or  a  destination 
node  (or  sink  node)  through  other  CHs. 

Our  trust-based  IDS  scheme  considers  the  effect  of  both 
social  trust  and  QoS  trust  on  trustworthiness  or  maliciousness. 
In  the  literature,  social  trust  may  include  friendship,  honesty, 
privacy,  similarity,  betweenness  centrality,  and  social  ties 
(strengths)  [2].  QoS  trust  may  include  competence,  protocol 
conformance,  reliability,  task  completion  capability,  etc.  In  this 
work,  we  adopt  honesty  to  measure  social  trust  derived  from 
social  networks  and  adopt  energy  (for  measuring  competence) 
and  cooperativeness  to  measure  QoS  trust  derived  from 
communication  networks,  as  these  can  be  considered  as 
indicators  of  trustworthiness.  The  honesty  trust  component  is 
measured  through  evidences  of  dishonesty  such  as  false  self- 
reporting  [1,  5],  trust  fluctuation  [8]  and  abnormal  trust 
recommendations  (i.e.,  outliers  relative  to  recommendations 
received  from  other  recommenders).  The  energy  trust 
component  provides  a  piece  of  evidence  because  a 
compromised  node  usually  performs  energy-consuming 
attacks,  such  as  disseminating  bogus  messages.  Lastly,  a 
compromised  node  usually  manifests  itself  as  being 
uncooperative  because  of  selective  forwarding  or  message 
dropping  attacks  to  disrupt  message  routing  in  WSNs. 

We  assume  a  cognitive  WSN  in  which  a  smart  SN  may 
adjust  its  behavior  dynamically  according  to  its  own 
operational  state  and  environmental  conditions.  A  SN  not 
necessarily  compromised  may  become  uncooperative  just  to 
save  its  energy.  The  uncooperative  behavior  is  typically 
reflected  by  stopping  sensing  functions  and  arbitrarily 
dropping  messages.  If  not  compromised,  an  uncooperative  SN 
may  become  cooperative  to  serve  system  goals  such  as  service 
availability  if  few  cooperative  neighbor  nodes  are  around.  A 
SN  is  more  likely  to  be  compromised  when  it  has  low  energy 
(because  a  node  with  high  energy  may  perform  better  energy¬ 
consuming  defenses  against  attackers),  or  when  it  has  more 
compromised  neighbors  around.  A  compromised  SN  can 
perform  strong  attacks  such  as  black  hole  attacks,  good- 
mouthing  attacks  (recommending  a  bad  node  as  a  good  node), 
and  bad-mouthing  attacks  (recommending  a  good  node  as  a 
bad  node)  through  which  it  exhibits  dishonest  behaviors,  and 
weak  attacks  such  as  message  dropping,  and  selective  packet 
forwarding  through  which  it  exhibits  uncooperative  behaviors. 
After  a  SN  or  CH  is  compromised,  it  will  consume  more 
energy  to  perform  attacks.  Such  attack  behaviors  are 
manifested  as  evidences  against  the  honesty,  energy,  and 
cooperativeness  trust  properties. 

III.  Hierarchical  Trust  Management  for 
Intrusion  Detection 

Our  hierarchical  trust  management  protocol  maintains  two 
levels  of  trust:  SN-level  trust  and  CH-level  trust.  Each  SN 
evaluates  other  SNs  in  the  same  cluster  while  each  CH 


evaluates  other  CHs  and  SNs  in  its  cluster.  The  peer-to-peer 
trust  evaluation  is  periodically  updated  based  on  either  direct 
observations  or  indirect  observations.  When  two  nodes  are 
neighbors  within  radio  range,  they  evaluate  each  other  based 
on  direct  observations  via  snooping  or  overhearing.  Each  SN 
sends  its  trust  evaluation  results  toward  other  SNs  in  the  same 
cluster  to  its  CH.  Each  CH  performs  trust  evaluation  toward  all 
SNs  within  its  cluster.  Similarly,  each  CH  sends  its  trust 
evaluation  results  toward  other  CHs  in  the  WSN  to  the  base 
station.  The  base  station  performs  trust  evaluation  toward  all 
CHs  in  the  system. 

Our  peer-to-peer  trust  evaluation  process  considers  three 
different  trust  components  as  described  earlier,  namely, 
honesty,  energy,  and  cooperativeness.  The  trust  value  that  node 
i  evaluates  toward  node  j  at  time  t ,  7);(t),  is  represented  as  a 
real  number  in  the  range  of  [0,  1]  where  1  indicates  complete 
trust,  0.5  ignorance,  and  0  distrust.  7^(t)  is  computed  by: 
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where  wu  w2,  and  w3  are  weights  associated  with  these  three 
trust  components  with  W\  +  w2  +  w3  =  1 . 


A.  Peer-to-Peer  Trust  Evaluation 

This  section  describes  how  peer-to-peer  trust  evaluation  is 
conducted,  particularly  between  two  SNs  or  two  CHs. 
Specifically,  when  a  trustor  (node  i)  evaluates  a  trustee  (node  /) 
at  time  t ,  it  updates  Tj  (t)  where  X  indicates  a  trust  component 
as  follows: 


f  (1  -  a)T \xj  (t  -  At)  +  aT^direct{i), 


if  i  and  j  are  1  —  hop  neighbors; 
avg^Ct  -  At)  +  (1  -  y)T*:recom(t)}, 

kENi 
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f  otherwise. 

In  Equation  2,  if  node  i  is  a  1-hop  neighbor  of  node  /,  node  i 
will  use  its  direct  observations  ( 'j*’direct anc[  past 
experiences  (Tjj (t  —  At)  where  At  is  a  trust  update  interval) 
toward  node  j  to  update  T?j  (t).  A  parameter  a  (0  <  a  <  1)  is 
used  here  to  weight  these  two  contributions  and  to  consider 
trust  decay  over  time.  If  the  application  context  knowledge 
justifies  placing  higher  trust  on  recent  direct  observations  over 
past  experiences,  a  larger  a  (greater  than  0.5)  may  be  used; 
otherwise  equal  weighting  with  a  =  0.5  may  be  considered. 
Here  p^direct  Qf)  indicates  node  V  s  trust  value  toward  node  j 
based  on  direct  observations  accumulated  over  the  time  period 
[0,  t]  possibly  with  a  higher  priority  given  to  recent  interaction 
experiences  over  the  time  period  [t  —  At,  t]  .  Below  we 
describe  how  each  trust  component  value  j^direct  (t)  can  be 
obtained  based  on  direct  observations: 


•  p honesty, dir ect  This  refers  to  the  belief  of  node  i  that 

node  j  is  honest  based  on  node  V  s  direct  observations 
toward  node  j.  Node  i  can  monitor  node  f  s  dishonesty 
evidences  including  abnormal  trust  recommendations, 
false  self-reporting  [1,5],  and  trust  fluctuation  [8]  over  the 
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time  period  [0,  t\  to  estimate  7N  (t). 

T<en er  a y ,dir e ct  s  t^i  •  •  j*  ,  .1  ,  r* 

■7-  (t):  This  indicates  the  percentage  or  energy 

remaining  in  node  j  that  node  i  directly  observes  at  time  t. 
As  a  neighbor,  node  i  can  overhear  or  even  monitor  node 
/ s  packet  transmission  activities  over  the  time  period 
[0,t]  to  estimate  T™eray’dlrect  {t). 

•  Ttj  (t):  This  provides  the  degree  or 

cooperativeness  of  node  j  as  evaluated  by  node  i  based  on 
direct  observations  over  the  time  period  [0,  t\.  Node  i  can 
apply  overhearing  or  snooping  techniques  to  detect 
uncooperativeness  behaviors  such  as  packet  dropping  or 
selective  forwarding  and  may  give  recent  interaction 
experiences  a  higher  priority  over  old  experiences  in 

,  •  ,  •  rp, co operativeness, dir e ct 

estimating  7N  K  (t). 

On  the  other  hand,  if  node  i  is  not  a  1  -hop  neighbor  of  node 
y,  node  i  will  use  its  past  experiences  (Tj(t  —  At))  and 
recommendations  (Tkj recom  (t)  where  k  is  a  recommender)  to 
update  Tjj  (t).  A  parameter  y  is  used  here  to  weight  these  two 

contributions  and  to  consider  trust  decay  over  time  as  follows: 

1 

7  "  1  +  /?rife(t)  (3) 

Here  we  introduce  another  parameter  /?  >  0  to  specify  the 
impact  of  “indirect  recommendations”  on  (t)  such  that  the 
weight  assigned  to  indirect  recommendations  is  normalized  to 
! 3Tik(t )  relative  to  1  assigned  to  past  experiences.  Essentially, 
the  contribution  of  recommended  trust  increases  proportionally 
as  either  Tik{t )  or  /?  increases.  Instead  of  having  a  fixed  weight 
ratio  Tik(f)  to  1  for  the  special  case  in  which  /?  =  1,  we  allow 
the  weight  ratio  to  be  adjusted  by  changing  the  value  of  /?  and 
test  its  effect  on  protocol  resiliency  against  malicious 
recommendation  attacks,  such  as  good-mouthing  and  bad- 
mouthing  attacks.  Here,  Tik(t)  is  node  f  s  overall  trust  value 
toward  node  k  as  a  recommender  (for  node  i  to  assess  if  node  k 
provides  correct  information).  Note  that  node  i  can  choose  all 
its  1-hop  neighbors  as  recommenders.  The  new  trust  value 
T(y  (t)  in  this  case  would  be  the  average  of  the  combined  trust 
values  of  past  trust  information  and  recommendations  collected 
at  time  t. 


B.  Trust-based  Intrusion  Detection 

Each  SN  reports  its  trust  evaluation  toward  other  SNs  in  the 
same  cluster  to  its  CH.  The  CH  then  applies  statistical  analysis 
principles  (such  as  Equation  4  below)  to  Ttj  (t)  values  received 


to  perform  CH-to-SN  trust  evaluation  toward  node  j.  Our  trust- 
based  IDS  is  based  on  selecting  a  system  minimum  trust 
threshold  below  which  a  node  is  considered  compromised  and 
needs  to  be  excluded  from  sensor  reading  and  routing  duties. 
Specifically  a  CH,  c,  when  evaluating  a  SN,  /,  will  perform 
intrusion  detection  by  comparing  the  system  minimum  trust 
threshold  Tth  with  node / s  trust  value,  TCJ  (t ),  obtained  by: 


lCj' 

Tcj(t )  =  avg  {' Tij(t )} 

iEMcATci(t)>Tth 


(4) 


where  Mc  is  the  set  of  SNs  in  the  cluster.  CH  c  will  announce  j 
as  compromised  if  TCJ  (t)  is  less  than  Tth;  otherwise,  node  j  is 
not  compromised.  Note  that  we  only  take  into  account  the  trust 
values  received  from  those  SNs  which  are  not  considered 
compromised  by  the  CH.  The  CH  can  also  leverage 
Tjj(t)  values  received  from  SNs  in  its  cluster  to  detect  if  there 
is  any  outlier  as  a  piece  of  evidence  against  dishonesty. 

IV.  Performance  Model 

We  develop  a  probability  model  based  on  SPN  techniques  to 
describe  the  behaviors  of  each  SN  or  CH,  with  the  objective  to 
yield  energy,  cooperativeness  and  maliciousness  (for  honesty) 
status  of  a  node  dynamically.  We  choose  SPN  as  our  analytical 
tool  due  to  its  capability  to  represent  a  large  number  of  states 
for  complex  systems.  Leveraging  SPN  model  outputs  which 
provide  actual  status  of  SNs  and  CHs  in  the  system 
dynamically,  we  are  able  to  accurately  predict  peer-to-peer 
trust  values  obtainable  by  each  SN  or  CH,  and,  consequently, 
evaluate  the  performance  of  the  trust-based  IDS  scheme. 

A.  A  Probability  Model  for  Describing  Node  Behaviors 


T_COMPRO 

Figure  1:  SPN  Model  for  a  Sensor  Node  or  a  Cluster  Head. 

Figure  1  shows  the  SPN  model  that  describes  the  behaviors 
of  a  SN  (or  a  CH).  Without  loss  of  generality,  we  consider  a 
WSN  consisting  of  NSn  SNs  uniformly  distributed  in  an  M  by 
M  square-shaped  operational  area  and  NCh  CHs.  Each  SN  is 
attached  to  a  CH  based  on  its  location.  CHs  and  SNs  have 
radio  range  of  R  and  r,  respectively.  The  trust  update  interval  is 
At.  All  nodes  are  stationary  after  the  initial  deployment.  Below 
we  explain  how  we  construct  the  SPN  model  for  describing  the 
behaviors  of  a  single  node. 

Energy:  Place  Energy  represents  the  remaining  energy  level 
of  the  node.  The  initial  number  of  tokens  in  place  Energy  is  set 
to  Einit.  A  token  will  be  released  from  place  Energy  when 
transition  T  ENERGY  is  triggered.  The  rate  of  transition 
T  ENERGY  indicates  the  energy  consumption  rate.  A  CH 
consumes  more  energy  than  a  SN.  The  energy  consumption 
rate  is  affected  by  a  node’s  state.  It  is  higher  when  a  node  is 
compromised  because  it  takes  energy  to  perform  attacks.  We 
denote  AE-SN,  AE_CH  and  AE_compromised  as  the  amount  of 
energy  consumed  per  At  time  for  a  normal  SN,  a  normal  CH, 
and  a  compromised  node,  respectively,  which  can  be  obtained 
by  analyzing  historical  data  with  AE_SN  <  AE_CH  < 
&e- compromised.  The  energy  consumption  rate  is  multiplied 
with  p  (0<  p  <1)  if  the  node  is  uncooperative. 

Uncooperativeness:  We  model  the  uncooperative  behavior 
as  follows:  A  node  may  become  uncooperative  to  save  energy. 


An  uncooperative  node  may  stop  reading  data  and  drop  packets 
it  receives.  A  node  will  decide  if  it  wants  to  become 
uncooperative  upon  every  time  interval  Ts  according  to  its 
remaining  energy  and  the  number  of  cooperative  neighbors. 
Also  a  compromised  node  is  likely  to  be  uncooperative  as  it 
performs  weak  attacks  such  as  packet  dropping  or  selective 
packet  forwarding.  An  uncooperative  node  can  redeem  itself  to 
become  cooperative  upon  every  trust  update  interval  (At).  We 
model  these  behaviors  by  putting  a  token  into  place 
Uncooperative  when  transition  T  UNCOOPERATIVE  is 
triggered  or  by  removing  the  token  from  place  Uncooperative 
when  transition  TREDEMP  is  triggered.  A  token  in  place 
Uncooperative  thus  indicates  that  the  node  is  uncooperative.  A 
node’s  uncooperative  probability  is  modeled  by: 

/  prcooeprative 

p  _  -L  /  ^ consumed  n neighbor 

*  uncooperative  ~  I  77  '  77 

^  y  t'init  ^ neighbor 


where  Econsumed  is  energy  consumed  and  Einit  is  the  node’s 
initial  energy  level.  Thus  Econsumed/Einit  represents  the 
percentage  of  energy  consumed.  N™°^™*lve /Nneighbor  is  the 
percentage  of  cooperative  neighbors  where  N neighbor  6 's  the 


number  of  cooperative  neighbors  and  Nneighbor  is  the  total 
number  of  neighbors.  This  models  the  behavior  that  a  node’s 
uncooperative  probability  tends  to  be  lower  when  the  node  has 
more  energy  and  higher  when  the  node  has  more  cooperative 
neighbors  as  there  are  sufficient  cooperative  neighbors  around 
to  take  care  of  sensor  tasks.  It  also  models  the  behavior  that  a 
compromised  SN  is  likely  to  be  uncooperative  when  it  has  low 
energy,  thus  performing  only  weak  attacks  such  as  packet 
dropping.  Thus,  the  rates  of  transitions  T  UNCOOPERATIVE 
and  T  REDEMP  are  given  by  PUncooVerative/Ts  and  (1  - 
^uncooperative)  /  At  respectively.  Initially  all  nodes  are 
cooperative  with  no  token  in  place  Uncooperative. 

Maliciousness:  A  node  is  compromised  when  transition 
TCOMPRO  fires  and  a  token  is  put  in  place  Compromised. 
The  rate  of  transition  T  COMPRO  is  modeled  by: 


Xc  —  Ac_ 
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where  Xc_init  is  the  initial  node  compromising  rate  which  can 
be  obtained  by  first-order  approximation  based  on  historical 
data  about  the  targeted  network  environment.  Einit  and  Eremain 
indicate  a  node’s  initial  energy  and  remaining  energy, 


,•  i  ,t compromised  AThealthy 

respectively.  Nneigl’hor  and  /V„ 


neighbor 


are  the  numbers  of 


compromised  and  healthy  nodes  in  the  neighborhood. 


nr  compromised  ,  healthy 
/  'neia 


neighbor 


neighbor 


refers  to  the  ratio  of  the  number  of 


compromised  1-hop  neighbors  to  the  number  of  healthy 
(uncompromised)  1-hop  neighbors.  Equation  6  models  the 
behavior  that  a  node  is  more  likely  to  become  compromised 
when  it  has  low  energy  because  it  may  not  spare  its  energy  to 
perform  energy-consuming  defense  mechanisms,  or  when  there 
are  many  1-hop  neighboring  compromised  nodes  around  it 
because  of  collusive  attacks.  Note  that  all  nodes  are  healthy, 
i.e.,  not  compromised,  initially. 


The  overall  performance  model  for  describing  the  collective 
behavior  of  a  WSN  consists  of  N  SPN  subnet  models,  one  for 
each  SN,  and  NCh  SPN  subnet  models,  one  for  each  CH,  each 
with  different  energy  consumption,  uncooperative/redemption 
and  compromise  rates.  Below  we  describe  how  one  could 
leverage  SPN  outputs  to  obtain  peer-to-peer  trust  values  as  the 
basis  for  performance  evaluation  of  our  proposed  trust-based 
intrusion  detection  scheme. 


B.  Trust  Evaluation 

Recall  that  under  our  trust  management  protocol,  node  i 
will  subjectively  assess  its  trust  toward  node y,  T^(t),  based  on 
its  direct  observations  and  indirect  recommendations  obtained 
toward  node  j  according  to  Equations  1  and  2.  In  particular, 
node  i  will  apply  snooping  or  overhearing  techniques  to 
monitor  node  j  closely  to  compute  rp*’direct  (t)  based  on  direct 
observations  over  the  time  period  [0 ,t\.  As  a  result, 
jX, direct  ^  computed  by  node  i  will  fairly  accurately  reflect 
actual  status  of  node  j  at  time  t.  Leveraging  the  SPN  model 
developed  which  provides  actual  status  of  each  node 

i  ■  ii  -i  .  rp,  hone  sty, dir  e  ct 

dynamically,  we  can  easily  compute  T-;-  ( t ), 

j  energy, dir ect  ^  j, cooperativeness, dir ect  simply 

checking  the  status  of  node  j  at  time  t  in  node  y’s  SPN  model  as 
listed  in  Table  1.  Once  T? 'dir ect  (t)  is  computed,  node  i  will 
compute  T-j  (t)  based  on  Equation  2  and  subsequently 
compute  Tijit)  based  on  Equation  1.  Each  SN  then  reports  its 
trust  evaluation  values  to  its  CH  for  CH-to-SN  trust  evaluation 
and  CH-SN  intrusion  detection  based  on  Equation  4.  The  same 
procedure  is  applied  for  base  station-to-CH  intrusion  detection. 


Table  1:  Computing  T^'direct(t)  for  Component  X  based  on  Actual  Node 

Status. 


T?.direct(t) 

Value 

Status  (of  node  j) 

j,honesty,direct 

1 

Ifmark(Compromised)  =  0 

0 

Otherwise 

j,  energy, dir  ect 

mark(Energy)/ Einit  I 

j,  co  operativeness, dir  ect 

1 

If  mark(Uncooperative)  =  0 

0 

Otherwise 

C.  Performance  of  Trust-based  Intrusion  Detection 

We  develop  a  statistical  method  to  predict  the  performance 
(i.e.  false  positives  and  false  negatives)  of  our  trust-based  IDS 
scheme.  Recall  that  in  Equation  4,  each  CH,  c,  receives  trust 
evaluation  values  toward  node  y,  T^ft)’  s,  from  n  SNs  (not 
diagnosed  as  compromised)  and  uses  the  mean  value,  TCJ-  (t)  = 


Ti;(t),  to  decide  whether  node  j  is  compromised  or  not. 
Statistically,  c  should  announce  node  j  as  compromised  if  the 
expected  trust  value  toward  node  y,  is  below  the 

threshold  Tth;  otherwise,  node  j  is  announced  as  healthy. 
Consider  that  the  trust  value  toward  node  j  is  a  random  variable 
and  Ttj(ty  s  submitted  by  n  SNs  are  n  samples  of  this  random 
variable.  Then  we  have  a  random  variable  Xj  (t)  following  t- 
distribution  with  n  -  1  degree  of  freedom: 


Xj(t)  = 


Tij(t)  - 

Sj(t)/fn 


(7) 


where  TtJ  (t)  and  Sj  (t)  are  sample  mean  and  sample  standard 
deviation  of  node  /  s  trust  value,  respectively.  Thus,  the 
probability  that  node  j  is  diagnosed  as  a  compromised  node  at 
time  t  is: 


0,(t)  =  Pr  fait)  <  Tth ) 

l  T\Ji)-Tth\  (8) 

=  Pr  W 

V  S,(t)/Vn  ) 

The  false  positive  of  the  IDS  can  be  obtained  by  calculating 
0y(t)  under  the  condition  that  node  j  is  not  compromised. 
Similarly,  the  false  negative  probability  can  be  obtained  by 
calculating  1  —  0;  (t)  under  the  condition  that  node  j  is 
compromised. 

_  ryth\ 


fp 


(t)  =  Pr  I  Xj(t)  > 


Tltft)  ■ 


Sf  {t)/\pn 


fn(t)  =  Pr  f  XAt)  <  TlAAl — - — 


Sf  (t)/Vn 


(9) 


(10) 


Equations  9  and  10  give  the  false  positive  probability, 
pjv  (t),  and  false  negative  probability,  pfn(t),  of  our  proposed 
trust-based  intrusion  detection  scheme  at  time  t ,  respectively. 
Tfj  (t)  and  Sf  (f)  are  the  mean  value  and  standard  deviation  of 
node  / s  trust  values  reported  by  other  nodes  in  the  same 
cluster,  under  the  condition  that  node  j  is  not  compromised. 
Tfj  (t)  and  Sf  (t)  are  the  mean  value  and  standard  deviation, 
under  the  condition  that  node  j  is  compromised.  and 

7-(t)  can  be  easily  obtained  by  applying  the  Bayes’  theorem 
to  the  calculation  of  7^  (t). 

Pfp(t)  and  pfn(t )  vary  over  time.  The  average  false 
positive  and  false  negative  probabilities,  denoted  by  Pjv  and 


Pjn }  can  be  obtained  by  weighting  on  the  probability  of  node  j 
being  compromised  at  time  t,  i.e., 


pfp  __ 


^=o(i-^cw) 

fn_ZU 

rt=0Pjc(t) 


(ii) 


(12) 


where  Pf  (t)  is  the  probability  that  node  j  is  compromised  at 
time  t  which  can  be  obtained  from  the  SPN  model  output,  and 
L  is  the  anticipated  WNS  lifetime  period  over  which  the 
weighted  calculation  is  performed. 


V.  Numerical  Results 

In  this  section,  we  show  numerical  results  obtained  from 
the  performance  model  described  in  Section  IV.  Table  2  lists 
default  parameters  used.  We  consider  a  WSN  with  400  SNs 
and  25  CHs  uniformly  distributed  in  a  400m><400m  area.  The 
WSN  is  deployed  in  a  hostile  environment  with  the  node’s 
average  compromising  interval  in  the  range  of  [320 hrs, 
1440 hrs].  We  consider  the  worst  case  of  good-mouthing 
(providing  the  highest  trust  value  for  a  malicious  node)  and 
bad-mouthing  attacks  (providing  the  lowest  trust  value  against 


a  good  node).  The  initial  trust  value  is  set  to  1  since  all  nodes 
are  initially  healthy  (uncompromised)  and  cooperative. 


Table  2:  Default  Parameter  Values  Used. 


Param 

Value 

Param 

Value 

Param 

Value 

M 

400m 

R 

150m 

r 

50m 

Nsn 

400 

Nch 

25 

At 

80  hrs 

a 

0.5 

P 

1.0 

1  / ^ c-init 

[320,1440 ]hrs 

A e-sn 

80  hrs 

Ae-ch 

160/zrs 

A  E-compromised 

240 hrs 

P 

1/3 

Ts 

[80,480]/m? 

Wi,W2,W3 

1/3 

E in  it 

[360,480]  days  for  SNs,  [720,960]  days  for  CHs. 

Figure  2  compares  the  overall  trust  (using  equal  weighting 
with  w1:w2:w3=1/3:1/3:1/3)  toward  a  SN  randomly  picked  with 
the  node’s  compromising  interval  varying  from  320 hrs  to 
1440 hrs.  We  observe  that  the  trust  value  of  a  node  with  a 
higher  compromising  rate  drops  more  quickly,  which  makes  it 
easy  to  detect  by  our  trust-based  IDS  scheme. 


Figure  3:  False  Alarm  Probabilities  as  a  Function  of  Time. 

Figure  3  shows  the  false  positive  and  false  negative 
probabilities  of  our  trust-based  intrusion  detection  scheme  as  a 
function  of  time  t  with  L  =  100  days  and  7th  =  0.8.  We  first 
note  that  false  negatives  are  due  to  IDS  bad  nodes  as  good 
nodes,  the  effect  of  which  is  especially  pronounced  when  t  is 
small  at  which  a  bad  node’s  trust  level  is  likely  to  be  high  since 
all  nodes  have  high  energy  and  cooperativeness  trust  values 
initially.  On  the  other  hand,  false  positives  are  due  to  IDS 
misidentifying  good  nodes  as  bad  nodes,  the  effect  of  which  is 
especially  pronounced  when  t  is  large  at  which  a  good  node’s 
trust  value  is  likely  to  be  low  as  much  energy  is  consumed  and 
a  good  node  may  exhibit  uncooperative  behaviors  to  save 
energy.  This  is  the  trend  exhibited  in  Figure  3.  When  t  is  small, 
the  false  negative  probability  is  high  because  initially  the  trust 
value  of  every  node  is  high  and  thus  IDS  is  more  likely  to  miss 
a  compromised  node.  As  time  progresses,  the  false  negative 
probability  drops  but  the  false  positive  probability  increases 
slowly  since  the  trust  value  becomes  lower  and  the  IDS  is  more 
likely  to  misdiagnose  a  good  node  as  compromised.  We 
observe  that  after  the  initial  warm-up  period  after  nodes  have  a 
chance  to  perform  peer-to-peer  trust  evaluation  and  the  trust 
values  are  summarized  for  trust-based  intrusion  detection,  we 


can  obtain  acceptable  low  false  alarms  during  most  of  the 
useful  network  lifetime. 


Figure  4:  False  Alarm  as  a  Function  of  Th  with  £=100  days. 


> —  False  Positive  -  L=100days 


Figure  5:  False  Alarm  as  a  Function  of  Th  with  Varying  L. 


Figure  6:  Optimal  Trust  Threshold  as  a  Function  of  L. 

Figure  4  shows  the  sensitivity  of  the  false  alarm  probability 
with  respect  to  the  system  minimum  trust  threshold  7th  below 
which  a  node  is  considered  compromised.  We  use  Equations 
11  and  12  for  the  weighted  calculation  of  false  positive  and 
false  negative  probabilities  over  the  time  period  [0,  100]  days. 
One  can  note  that  as  the  minimum  trust  threshold,  Ith , 
increases,  the  overall  false  negative  decreases  while  the  overall 
false  positive  increases.  There  exists  an  optimal  trust  threshold 
at  which  both  false  negative  and  false  positive 
probabilities  are  minimized.  For  Z=100  days  and  the  network 
environment  characterized  by  the  set  of  parameter  setting  as 
listed  in  Table  2,  the  optimal  trust  threshold  Tth,opt  is  in  the 
range  of  [0.70,  0.80]  at  which  both  false  positive  and  false 
negative  probabilities  are  lower  than  0.01.  Figure  5  shows  the 
same  as  Figure  4,  except  that  we  vary  the  anticipated  network 
lifetime  L  from  100  to  480  days  in  the  calculation  of  the  false 
alarm  probability.  We  observe  from  Figure  5  that  the  optimal 
trust  threshold  rph>opt  shifts  toward  left  (becoming  lower)  as  the 
anticipated  WSN  lifetime  L  increases.  Figure  6  shows  that  the 
optimal  trust  threshold  7*a,0jP*  decreases  as  the  anticipated 
network  lifetime  (Z)  increases  because  a  node’s  trust  value 
decreases  over  time  due  to  energy  depletion  even  if  the  node  is 
not  compromised. 

VI.  Conclusion 

In  this  paper,  we  proposed  a  trust-based  IDS  scheme 


leveraging  a  hierarchical  trust  management  protocol  for  WSNs. 
We  considered  a  composite  trust  metric  deriving  from  both 
social  trust  (honesty)  and  QoS  trust  (energy  and 
cooperativeness)  as  an  indicator  of  maliciousness.  We 
developed  a  probability  model  based  on  SPN  techniques  to 
describe  the  behaviors  of  SNs  or  CHs  for  trust  evaluation  and 
intrusion  detection,  as  well  as  a  statistical  method  to  predict  the 
false  alarm  probabilities  of  the  trust-based  IDS  scheme.  The 
experimental  results  show  that  a  node  with  high  compromising 
rate  can  be  easily  detected,  thus  supporting  the  idea  of  using 
trust  to  implement  IDS  functionality.  We  analyzed  the 
sensitivity  of  false  alarm  probabilities  with  respect  to  the 
minimum  trust  threshold  below  which  a  node  is  considered 
compromised,  and  we  discovered  that  there  exists  an  optimal 
trust  threshold  at  which  both  false  positive  and  false  negative 
probabilities  are  minimized  and  that  the  optimal  trust  threshold 
decreases  as  the  network  lifetime  increases. 

There  are  several  future  research  directions,  including  (a) 
considering  more  social  trust  components  other  than  honesty 
and  studying  their  effects  on  false  alarms;  (b)  devising  and 
validating  a  decentralized  CH  trust  evaluation  scheme  for 
autonomous  WSNs  without  base  stations;  (c)  investigating  the 
impact  of  the  number  of  clusters  and  the  trust  update  interval  to 
protocol  performance;  (d)  conducting  a  comparative 
performance  analysis  of  existing  trust-based  IDS  techniques 
for  WSNs,  and  (e)  investigating  the  feasibility  of  using  trust  to 
implement  IDS  functionality  in  more  dynamic  networks  such 
as  mobile  WSNs  or  MANETs. 
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